You are not logged in.

#1 2019-12-02 07:03:11

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

[SOLVED] Policy-based routing based on port

I have a working SSH server set up. I would like to be able to have my VPN enabled on that server, but when it's enabled, it modifies the `iptables` rules (and maybe more) to route all outgoing traffic via the VPN. So instead of the SSH outbound packets going back via the route they came, they get sent via the VPN. This makes it impossible to SSH into that server when the VPN is enabled, as any clients won't receive their return packets via the expected channels.

I am very new to all of this networking stuff, but I've been told that setting up policy-based routing for traffic on my SSH port might be able to solve this problem. I've found this seemingly useful example, but it's not specifically for port-based policies, and there's enough that I don't yet understand in that article that I'm not able to act on it. Most other articles I've found seem to be written for networking professionals.

Is anyone able to give me a rundown on the different steps I'll have to take and components I'll be dealing with when setting up policy-based routing for SSH traffic?

Thank you so much!

Last edited by hoWlExat (2023-12-19 03:27:05)

Offline

#2 2023-11-14 04:03:40

luthis
Member
Registered: 2016-02-12
Posts: 8

Re: [SOLVED] Policy-based routing based on port

I had the same issue,

I spent literally hours learning nftables and ulogd, only to do this super easily another way.

  sudo ip route add default via 192.168.19.1 table 10
  sudo ip rule add sport 65500 table 10
  sudo ip route flush cache
  ip rule show

resources I used:

http://linux-ip.net/html/tools-ip-rule.html

Now gotta add this so that it survives a reboot

Offline

#3 2023-11-14 09:25:51

luthis
Member
Registered: 2016-02-12
Posts: 8

Re: [SOLVED] Policy-based routing based on port

Ok so to be concise for you users of the future,

# add a default route to some table, arbitrarily table 10 but you can use whatever number (RTFM)
  sudo ip route add default via 192.168.19.1 table 10
# add a rule for the return traffic from your ssh host (I changed my ssh port to this port, so my remote client is expecting traffic back on this port, you probably want to set port 22)
  sudo ip rule add sport 65500 table 10
# self explanatory
  sudo ip route flush cache
#check out your fancy new rule
  ip rule show

And to make this persistent across reboots, add to:

/etc/systemd/network/20-wired.network

(or whatever your file there is, add the following to the bottom)

[Route]
Gateway=192.168.19.1
Table=10

[RoutingPolicyRule]
SourcePort=65500
Table=10

Offline

#4 2023-12-13 08:14:45

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

Re: [SOLVED] Policy-based routing based on port

Thank you for the replies. Unfortunately, I have not managed to get it to work, yet.

For an example, let's say my SSH server has an IP of 192.168.1.2 and is listening on port 100.
I tried following your examples, replacing `via 192.168.19.1` with `via 192.168.1.2`, and replacing `sport 65500` with `sport 100`.
I also tried all sorts of combinations of sport and dport, using 100 and 22.

Still no luck when I have turned on the VPN on the SSH server.
Any further ideas? Thanks

Offline

#5 2023-12-14 05:47:48

-thc
Member
Registered: 2017-03-15
Posts: 485

Re: [SOLVED] Policy-based routing based on port

Before turning on the VPN on your SSH server it uses a default gateway (the local router).

In "luthis" example "192.168.19.1" is the address of that gateway - not the IP address of your server.

Offline

#6 2023-12-19 03:25:27

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

Re: [SOLVED] Policy-based routing based on port

Wow, thank you both so much for the help! This solved it.
So to be clear, I ran the commands:

[user@mylaptop]# sudo su -
[root@mylaptop]# ip route add default via <my-router-ip> table <my-random-int-choice>
[root@mylaptop]# ip rule add sport <the-port-used-for-ssh> table <my-random-int-choice>
[root@mylaptop]# ip route flush cache
[root@mylaptop]# ip rule show
[root@mylaptop]# ip route show table <my-random-int-choice>

Now, I can have my SSH server connected to a VPN and I can successfully SSH into that server from my laptop.
Thank you! big_smile

Offline

#7 2023-12-19 07:54:54

hoWlExat
Member
Registered: 2019-11-15
Posts: 35

Re: [SOLVED] Policy-based routing based on port

To persist the settings, I ended up making a custom systemd service that just executes a script once the network-online.target is hit. Only two lines were needed in that script:

#!/bin/bash
ip route add default via <my-router-ip> table <my-random-int-choice>
ip rule add sport <the-port-used-for-ssh> table <my-random-int-choice>

Last edited by hoWlExat (2023-12-19 07:55:27)

Offline

Board footer

Powered by FluxBB